There has been little progress on the draft EU Data Protection Regulation since October.  However, the Greek Government took over the Presidency of the Council of the European Union in January 2014, so it is now up to them to progress this legislation.

It is clear that delays are inevitable. Even if the draft is agreed at the Justice and Home Affairs Ministers Council meeting in June, the process then continues with three-party negotiations between Justice and Home Affairs Ministers, the European Commission and the European Parliament.

That process is unlikely to start before the autumn, which would mean that the EU Regulation must be delayed until the end of this year or, more likely, until early 2015.  This will delay the law coming into force until the end of 2016 at the earliest, and more likely in 2017.

Three aspects of the new legislation that we have not covered in previous blogs are:

·         International Data Transfers:  this is a new certification programme which will allow data controllers and processers to apply for certification under The European Data Protection Seal. The certificate will be gained through an audit of data processing activity and certification granted by data protection authorities or accredited third parties.  The European Data Protection Seal will enable legitimate transfers of data outside the EEA to recipients who also hold a Seal.

·         Data Protection Officers:  though still in the draft stage, it is clear that firms will be encouraged or required to appoint data protection officers (DPOs) to ensure an organisation uses, controls and processes data compliantly, nationally and / or globally.  There are 500 million citizens within Europe, and currently, a DPO is to be appointed if an organisation processes data on more than 5,000 individuals per annum.

·         One Stop Shop continues to be a subject of fierce debate.  It is significantly different from current legislation where a business is always subject to the data protection authority in each and every country in which it operates.  Under the new One Stop Shop rule, a business which operates in several of the EU Member states would only be subject to the national data protection authority in the country where its Head Office is based.

The debate relates to citizens’ human rights – any data protection complaint made against a company whose head office location is in a different country, will mean that individuals must complain to their own national data protection authority, who will then pass it onto the authority in the relevant country.  This complexity will make it difficult for individuals to complain simply and effectively, and argument rages over whether and to what extent this might undermine human rights.

If you are concerned about how the new European legislation might affect you or your business, don’t hesitate to get in touch with Victoria or Michelle on 01787 277742.  Or emailvictoria@tuffillverner.co.uk  or michelle@tuffillverner.co.uk